The Need for Auditing Linux Operating Systems: A Practical Approach

It is important for an auditor to ascertain the audit objective, business goal and criticality of the system for the organization at the beginning of an audit.

An information system is an assimilated set of business components used for collecting, storing and processing data, and for delivering business information, knowledge and digital products. It is important that business firms and other organizations rely on information systems to carry out and manage their operations, interact with their customers and suppliers, and compete in the marketplace.

To perform these tasks, it is important for information assurance and audit professionals to perform the system audit discussed here with respect to Linux system auditing.

There are different operating systems (OS) used in IT infrastructures. These are quickly changing with regard to their technological capabilities. The OS is the crucial part of IT infrastructure implementation, management and operations. Advanced technology provides a wide range of flexibility when using different OSs, but it also increases the likelihood of attacks. These OS advances also drive massive and rapid increases in the number of people with access to them. The speed of these changes has no precedent in human history, and the power of these technologies has transformed the work environment and our personal lives and brought with it many positive contributions.

It is important for an auditor to know about the different operating systems and changes of the systems, otherwise a set of undetected vulnerabilities may cause a distortion of the company image, reputation and business goals. Technology is never perfect; by design, hardware vulnerabilities and software errors can be impossible to totally avoid.

In my recent Journal article, I discuss the Linux operating system and auditing steps of it, which can help ensure the penetration of the Linux operating complies with the organization’s security policy. The users or Linux operating administrators who use sophisticated services technologies have limited knowledge or awareness of security issues and what their roles are in managing them. In this article, I identify the security issues to be aware of and hope to initiate a discussion with peers around the globe.

Third-party Product Insecurity Is Costing You

Insecure third-party software products contribute significant risk to an organization. When an enterprise buys, uses or downloads web, mobile and desktop software, it inherits the risk that stems from that software's insecurity. This is also true for the embedded devices that make up the Internet of Things (IoT). Nearly all of the vulnerabilities listed in the Common Vulnerabilities and Exposures database are rooted in software. This means, for example, that nearly all malware today takes advantage of some secure programming mistake on other software, such as an operating system or browser.

It may be expected that by now, product vendors have responded in kind by holistically incorporating security into their software development processes. Unfortunately, that is far from reality. Most software development organizations rely on automated testing tools, which the US National Institute of Standards and Technology (NIST) SAMATE project has shown capture only a small percentage of security vulnerabilities.

Addressing Vendor Security Risk

No one could ever imagine that vendor connectivity would be exploited and go unnoticed for several months causing numerous attacks on enterprises that have state-of-the-art security. Very few risk management programs would have taken account of such a risk, which is not only large-impact but also hard to predict—what philosopher-epistemologist Nassim Nicholas Taleb calls “black swans,” in reference to the fact that Europeans once knew that all swans were white—until explorers in Australia discovered black swans.

The question then arises: What should have been done to prevent, or at least detect, such an attack? The buck typically passes on to risk management teams who ideally should have projected such risk factors for treatment. Conventionally, enterprises have introduced their IT vendors after the security due diligence process. It is vital that the same processes are exercised for all vendors, regardless of the services they provide. The most desirable outcome of such an exercise will be an understanding of the security risk that an enterprise would face in day-to-day business.

Managing a Global Team in the Compliance World

Human resource management (HRM) is an area in which every manager has to constantly mature throughout their career. It becomes even more of a challenge when dealing with intra-regional and extra-regional boundaries that are inevitably going to stretch the demands of a robust and well-balanced people manager. Add to that the complexities of compliance, whether it is audit, privacy, ethics or information security, and HRM becomes exponentially harder, considering the sensitivity of these areas. The issues of a multigenerational workforce, along with increasing challenges with cultural diversity and inclusiveness, can lead to some challenges in having a global team. However, the benefits are quite significant, and this becomes even more important for an organization that is truly global in nature. Some of these benefits include proximity to customers (internal and external), a broader reaching talent pool and flexibility in managing resources.

Monitoring, Analysis and Incident Management for Secure Data Centers

Our recent ISACA Journal article discusses the requirements for a military-grade secure data center based on the Advanced National Security Infrastructure System (ANSIS) by the National Computing and Information Agency (NCIA) in South Korea and the International Telecommunications Union (ITU-T) X.805.

This blog discusses the role of security operations center (SOC) functions, namely monitoring, visualization and incident response, in supporting security dimensions and defense-in-depth layers for data centers. The dimensions and layers in ANSIS and ITU-T X.805 are largely preventative and detection controls. While monitoring the monitoring function aids in detection, it collates information from various sources and provides the input of analysis, which can guide the incident response and recovery functions. Torsten George considers continuous monitoring and risk visualization to be 2 of the 4 key elements of cybersecurity.